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4;> a sampling aiu! statistic collection process 40. The data collector samples 42 one (1) packer, in 
every (n) packets and has counters to collect statistics about every packet." [Appellant's 
specification Page .9. lines 1 1-1.4]. 'The gateways 26 and data collectors have monitoring 
process 32 used to measure some parameter of traffic flow. One goal of the gateways 26 and 
data collectors 28 is to measure some parameter of network traffic. This information collected 
>\ :Kc >wtfv u\c and dale eohcetO'S t« u?>ed to tuks the source of ait attack." [Appellant's 
specification .Page 14. lines 5-10). 

Inventive features of claim I include mapping the traffic flow into a plurality of buckets 
by applying a hash function "i(h}" to fee parameter of the traffic flow to output an integer 
corresponding to one of the buckets. "The algorithm will use some hash function "lilt)", which 
lakes the packet and outputs an integer thai corresponds to one of the buckets "B= - B N .' n ' 
[Appellant's specification Page 14, lines 18-21]. 

1 \v! >. v tl ' o ii .] I i !iu iu n ! in ♦ 1M5 l "> o 

comparing the number of buckets to a threshold. "Statistics from the packets start accumulating 
in fee buckets '13; - B?f. The buckets - B N " are configured with threshold values "Th. M As 
the contents of fee buckets 8* - Bn- reach the configured thresholds values "Th" (e.g., compare 
valises of packet count or packet rate to threshold), the monitoring process 32 deems that event to 
be of significance.''' [Appellant's specification Page 1 4, lines 2 1 -25]. 

Inventive features of claim 1 include determining whether the number of buckets should 

buckets to the threshold, "As the gateway 26 or data collector 28 approaches a bucket threshold 
"Th",. the gateway 26 or data collector 28 have the ability to take several buckets lib •••• B\ and 
t'We tlw. 0 j ,\ x je ei.t L B It o > oi m ee tno r ' no s< we l\k\e I ^ * \op. \.. < 
specification Page 15. lines 1,8-22]. 
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Claim 1-4 claims another aspect of the invention. Claim 14 is a computer program 
product residing on a computer readable for monitoring network, traffic flow In a network. 
[Appellant's specification Page 2, lines S - 12], The gateway 26 and data collector 26 are typically 
- * l\w«v ov^kcrs inix arv elated n djvia.!? -Mich a<« 'omputers, routers, or switches. 
[Appellant's specification Page 9, lines 6-8]. 

Inventive features of claim 14 include instructions to map traffic flow .into a plurality of 
buckets by applying a hash function "fthf to a parameter of the traffic flow to output an integer 

in end\ v - k-:cut\s of >.latm 14 ■ include instruction: to accumulate ^t.ii'-^v-. :rv»m hV 
packets and compare the accumulated statistic values from the buckets to configured threshold 
values corresponding to the number of buckets to determine that an event is of significance. This 
feature is supported as the analogous feature of claim 1. 

. a i.ti^e - > »v> j . " + f K id ' mslMv k\s o oj -> t «. ; ^ x k is u^ t k 
number of bucket's approaches a second threshold. This feature is supported as the analogous 
feature of claim. 1. 

Claim 2! 

Another aspect of the invention is covered by claim 21. Claim 21 is directed to a data 
collector to collect statistical infbrmauoo about network flows. "'Referring to PIG. 4, the data 
collector 26 performs 40 a sampling and statistic collection process 40. The data -collector 
samples 42 one (1) packet in every (n) packets and has counters to collect statistics about every 
packet." [Appellant's specification Page 9, lines 11-14], 

Inventive features of claim 21 include a computer readable medium and a computing 
device that executes a computer program product stored on the computer readable medium.. 

! . > ^ (,<J t .>S ■> " t! ie tvCi<.„j\ ofn. cp ja. ru ,»c^<. K> ; 

devices such as computers, routers, or .switches," [Appellant's specification Page 9, lines 6-S'j. 

Inventive features of claim 21 include instructions to map traffic flow into a plurality of 
buckets by applying a hash function '*fiTi)"to the parameter of the traffic flow- to output an 



integer corresponding to one of the buckets. This feature is supported as the analogous lean? re o 

claim 1. 

f;n, tube features ofe aim Ji ru.n=dc ui^ri<,n->r> to cecn.m.-.:te <-v^vk ii^:s : ! -e 
packets and compare the accumulated statistic values from the buckets to configured threshold 
values corresponding to the number of buckets to determine that an event is of significance, 
adjust the number of buckets as the number of buckets approaches a second threshold. This 
feature is supported as the analogous feature of claim I . 

Claim 63 

Claim 63 is directed to a method of monitoring traffic flow in a monitor device disposed 

> <- < 5 K < K i lU.v t U 1 , uppOJCt ^ 10 i' J ) >s v. 1 f \ < 

of the traffic flow to trace a source of an attack. This feature is supported as the analogous 
feature of chum I. 

Inventive features of claim 63 mclude mapping the traffic flow into a plurality of buckets 
'This feature is supported as the analogous feature of claim I . 

Inventive features of claim 63 include varying the number of buckets according to the 
amount of traffic and number of flows to breakdown traffic flow into different buckets. <- As the 

i v \ i n v. n t.to 2 » ) il ti b i t 1 5 )k Hi > t 

collector 28 have the ability to take several buckets Bj - 8$ and divide then, in more buckets B ; 
••••84 or combine them into fewer bucket Bj - B 3 . ("Appellant's specification Page 1 5, lines 18- 
22]. 

In ventive features of claim 63 also include analyzing statistics accumulated for a 
parameter and a corresponding threshold in the bucket to identify the source of the attack. "'The 
function of the variable number of buckets is to dynamically adjust the monitoring process to the 
amount of traffic and number of flows, so that the monitoring device (e.g., gateway 26 or data 
collector 28) is not vulnerable to DoS attacks against its own resources. The variable number of 
! <. sah I v Uilt 'i-iiCH LtMsi o tftael \ hie sH-U^m n vin 1 1 e * 
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categories (buckets) and looking at (he appropriate parameters and thresholds in each bucket." 
[Appellant's specification Page 15, Sines 23-31], 

Claim 70 

Claim 70 is directed to a computer program product residing an a computer readable 
medium for monitoring traffic flow m a monitor device disposed to receive network packets. 
This feature is supported as the analogous feature of claim 1, 

Inventive features of claim 70 include instructions to produce statistics corresponding to a 
parameter of the traffic flow to trace a source of an. attack. This feature is supported as the 
analogous feature of claim 1 

Inventive features of claim 70 in addition include instructions to map the traffic flow into 
a plurality of buckets. This feature-is supported, as the analogous feature of claim i . 

Inventive features of claim 70 also include instructions to vary the number of buckets 
according to the amount of traffic and number of flows to breakdown the. traffic -flow into 
dslYere u bud ets. This feature is supported as die analogous tVaturc of claim 63. 

.inventive features of claim 70 also include instructions to analyze statistics accumulated 
for a parameter and a corresponding threshold in the bucket to identify a source of the attack. 
This feature is supported as the analogous feature of claim 63. 

ni.) Grounds of Rejection to he Reviewed on Appeal 

.1 ■ Claim 63 stands rejected under 35 U.S.C. 112, second paragraph, as being indefinite 
for failing to particularly point out and distinctly claim the subject matter which applicant 
regards as the invention. More specifically it is not clear what is further com prising. 

2. Claims 63-68 and 70-75 stand rejected under 35 U.S.C. 102(e) as being anticipated by 
Lyle et a! (US 6,971,0.28) hereinafter referred to as Lyle. 

3. Claims 1-21, 50-62, 69. and 76-77 stand rejected under 35 U.S.C. 103(a) as being 
unpatentable over Lyle further in view of Hsu et al (US 6,098,1 57} hereinafter referred to as Hsu. 
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"it is well sealed that anticipation under 35 LfS.C. §102 requires the presence in a single 
reference of ail of the elements of a claimed invention." Ex parte Chopra, 229 LT.S.P.Q. 230, 
231 iBPA&i 1985} and cases? cited. 

"Anticipation requires the presence in a single prior art disclosure of ail elements of a 
claimed invention arranged as in the claim." Connell v. Sears. Roebuck <f Co., 220 li.S.P.Q. 
193, 198 (Fed. Cir. 1983). 

"This court has repeatedly stated- that the defense of Sack of novelty {i.e., 'anticipation'} 
can only be established by a single prior art reference which discloses each and every element of 
the claimed invention." .Structural .Rubber Prod. Co. v. Park Rubber Co.. 223 U.S.P.Q, 1264, 
1 2"0 (Fed. Cir. 19S4). citing five prior F ederal Circuit decisions since 1983 including Conned. 

In a later analogous case the Court- of Appeals for the Federal Circuit again app lied t his 
rule iu versing a denn'l of a motitxi for uklgmeni r>.o v idler a inry fmdnig \hi\l e hunts v\trc 
anticipated. Jamesbury Corp. v. Litton Industrial Prod., hie. ,225 U.S.P.Q. 253 (Fed, Cir. 1985). 

Alter quoting from Connell, "Anticipation requires the presence in a single prior art 
disclosure of all elements of a claimed invention arranged as in the claim,'' 225 U S P.Q- at 2So, 
the court observed that the patentee accomplished a constant tight contact, in a bail valve by a lip 
on the seal or ring which interferes with the placement of the bail. The lip protruded into the 
area where the bail will be placed and was thus deflected after the ball was assembled into the 
valve. Because of this constant pressure, the patented valve was described as providing a 
particularly good seal when regulating, a low pressure stream. The court quoted with approval 
funn a VH" \ 'our. ot Claims ■,keis;on ad >ptmg the opmbo of then G"mmiMOter ana Lite* 
Judge Donald E. Lane: 

[T]he term "engaging the ball" recited in claims 7 and 8 
means that the hp contacts the bail with sufficient force to 
provide a fund tight seal **** The Saunders flange or up 
only sealing! y engages the ball 1 on the upstream side when 
the *\.id )r .'SMsro -nuts the Up against the hall and never 
sealingly engages the ball on the downstream side because- 



there is no fluid pressure there to force the lip against the 
ball The Saunders sealing ring provides a compression 
type of seal which depends upon the ball pressing into the 
material of the ring. *** The seal of Saunders depends 
primarily on the contact between the bail and the body of 
the sealing ring, and the flange or lip sealingly contacts the 
bail on the upstream side when the fluid pressure increases. 
2j5 U.S.P.Q. at 258. 

Reiving on Jumesbury, the ITC said, "Anticipation requires looking at a reference and 
comparing the disclosure of the reference with the claims of the patent in suit. A claimed de\ av- 
is anticipated if a single prior art reference -discloses all the elements of the claimed invention as 
arranged in the claim." In re Certain floppy Disk Drives and Components Thereof* 227 
U.S.P.Q. 9S2. 985 (U.S. fit 1985), 

Obviousness 

'It is well, established that the burden is on the PTO to establish a prima facie- showing of 
obviousness. In reFritseh, 9"?2 F.2d. 1260, 23 U.S.P.Q.2d 1780 (C.C.P.A, 1972)." 

" \ " " 5 ^ . ^ -vd >\ w<. in s U soi^e oeic *vd>0! t n t _ , iT > \ ,\ ^ d. \o 
o' ;eeoui to us^ux vi'Ufbmath'n or 'notification of u'ferciees, /< vAY^,;,\ i ,2d l.' i% * 1S^. 

n -Jl' 1 ,^ p \ <l )"i x 1 , >. o 1 u uj , a , e <> _ e . „ U ^ . e 0 -< o . 
in various prior art references, the claimed invention taken as a whole cannot he said to be 
obvious without some reason given in the prior art why one of ordinary skill in the art would 
have been prompted to combine the teachings of the references to arrive at the claimed ir\ ention 
Id. Even if the cited references show the various elements suggested by the Examiner hi onU r to 
support a conclusion that it would have been obvious to combine the cited references, the 
t „ia~ > J, 1 1 ^ h,L> oj *s\ i 1 ud^ ^tu^est heJuik*. 4 u ■ t K v ^ u 
must pseseut a e-ms -nein^ km- m o-'asuniini as to v\ by one shdleU at the an v o^ai h* \ .ouud the 
> ,c f^a^Oi *o<eb\;e oJi iuin ; Jv \\u\\r^ o* i,i JtO-j. Cn ' C . 21/ 

U.S.P.Q.2d 972, 973 (Board. Pat. App. & Inf. 985)." 
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' bo i , :re fact thai the prior an could he so modified would not have made the 

vJ Uv i hvious unless die prior art suggested the desirability of die modification," hi re 

< >f 22, S.P.Q. 1 125, 1 127 (Fed. Cir. 1984). 

Although the Commissioner suggests that [the structure in the 
primary prior an reference] could readily be modified to form the 
[claimed] 'structure, "(t)he mere fact that the prior art could be so 
modified would not have made the modification obvious unless the 
prior art suggested the desirability of the modification," In re 
Laskowski, iOlhS.P.Q. 2d 1.397,' 1 398 (Fed. Cir. 19895. 

"The claimed invention must he considered as. a whole, and the question is whether there 
ss something in the prior art as a whole to suggest the desirability, and thus the obviousness, of 
making the combination," Lindematm Maschinenfahrik GMBH v. American Hoist & Derrick, 
221 U.S.P.Q. 481, 488 (Fed. Cir. 1984). 



Obviousness cannot be established by combining the teachings of 
lite pnor art. to produce the claimed invention, absent some 
teaching or suggestion supporting the combination. Under Section 
103, teachings of references can b e combined only if there is some 
suggestion or incentive to do so. ACS Hospital Systems,. Inc. v. 
I'-V'-v; Hr , r : r ,i ■»•>« ijSPQ 9-r* (Fed. Cir. 
er mvms , o >_ r,J 1>*m u'^ o.e red> 

' , x . ^ (.1 »qi a > is * a kj 1 ivo- % vsnk i - r g n the prior art as a whole to suggest 
U oes t ,nK\ a to 'Uis ' it, m\ \uks u * oi u.aurv, *\u Cs mbinalion.' 1 " Froinson v. Advance 



1 <. I'um <h amended, s<» propei under 35 
I n C . 112. second paragi aph. 



Liut^ . io ^i^ - . . .t, u i . om pan vent 
s atveu < n s ,h ivat ».e u w recites: -% 



\> < )V uiv«l deau 63 is rxroper tinder 35 u.S.C. 1 1 2, 



second paragraph, Analogous amendments were made to claim 70, sio.ee claim. 70 had similar 

2. Claims 63-68 and 70-75 are not 
anticipated by Lyle et aHUS 6,971 ,028>. 

Claims 63. 66. 70 and 73 

For the purposes: of this appeal only claims 63, 66. 70 and 73 stand or fail together. 

Claim 63 is directed to a method of monitoring traffic flow in a monitor device disposed 
to recn. e .s.'-v ' rk ".rar.'sc packed < 1am meludeo thj Jeauues <u ]>■■•-' hw -vi. -;\t\ m ., $ 
corresponding to a parameter of traffic flow to trace the source of an attack. According to claim 
63 producing includes mapping the traffic flow into a plurality of buckets and varying the 
number of buckets according to the amount of traffic and number of" flows by breaking down 
traffic flow into different buckets and examining statistics accumulated for a parameter and a 
corresponding threshold in the bucket. 

The examiner contends that Lyle teaches "Producing statistics corresponding to a 
parameter of traffic flow to trace the source of an attack (Fig 9, 908-310; col 2, lines 45-50; col 
?, lines 3-12; sniffers are used in analyzing and evaluating traffic flows to scrutinize suspicious 
activity in an attempt to ascertain the source of an attack)*' 

Appellant disagrees. Lyle neither describes nor suggests producing statistics 
corresponding to a parameter of traffic flow. Lyle merely uses sniffers, but according to Lyle. 
the sniffer "continuously scans the data being received at various ports of various network 

fh<. .-r. 'ier-. .-.ea< -i for data suh,\mnc au actual ur ntapeeud au^.k. dwu-KJ more 
fully below, and provide information concerning suspicious data to other modules within the 
tracking system, as described more fully below." [Lyle Col. 7, Lines 7-12]. 

Sniffers in Lyle are used to examine data in packets that have the characteristics of a 
known attack. Lyle does not disclose the sniffers as collecting statistical information on network 
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The examiner argues that Lyle discloses: ''Mapping the traffic How into a plurality of 

'k\.N(' i ' ^CitO v , » ! > >' 1 .cd > , M> „ i s ! -s "> v t 

a set correspo.rs.ding to a single incident}." Appellant contends that Lyle- does not disclose this 
mature ciiner a - t V; h les 45-0" ■ -r by the definition oft.\ em cs.;.v *\ieii>.\l is >usr:-. ;oas data 
is placed m a queue as a set corresponding to a single incident.'', since claim 63 requires 
mapping the traffic flow into a plurality of buckets, not events that correspond to incidents. The 
events are riot traffic flow. 

The examiner argues that Lyle discloses: ''Varying the number of buckets according to 
the amount of traffic and number of flows according to down traffic flow into different buckets 
and examining statistics accumulated for a parameter and a corresponding threshold in the 
bucket (col 7. line 43 to col 8, line 5; col 13. lines 42-50 .... once an event (a set of data 
corresponding to an attack) is placed in the queue, other event data is grouped or combined with, 
existing event data to associate related events into a single incident object Also, events that do 
not bear similarities on their face may also be combined or aggregated based upon event rate in a 
given, network or sub-network. Thus varying the amount of event data sets destined for the 
analysis framework module), 

Lyle merely teaches to associate related events. Lyle teaches: 'The analysis framework 
1 *s ^ . o-> \ i0 s - ,(.nis>oj H t v obe>* a- Je-u % ■ <> s i ^ 0v > 5 v *a 

stores data relating to the event in an event database 322. The analysis framework 308 also 
determines whether an event is associated with an existing event or group of related events, and 
associates related events into a single incident software object. Events that are not related to any 
other events are associated with, a new incident object and may be later grouped with 
subsequently-received event data that is related to the same incident." [Lyle coi.7, Line 61 to 
Col 8 line 4] 

Thus, Lyle does not describe varying the number of buckets according to the amount of 
aafiSv. .aid nunaxi oi Lov--; suu. e.tfcfesa oueket 5 and t,>.a:nuuug s'ao.vue; ..co. nukaed fo. . 
parameter and a corresponding threshold in the bucket. 




Accordingly, since Lyle fails to describe all of the features of claim 63 arranged as in the 
claim, Lyle cannot anticipate claim 63. 

Claims 64. 0 6, 6C, 71. and 75 

For the purposes of this appeal only claims 64. 66, 68, 71 and 75 stand or fall together. 
Claim 64 is representative of this group of claims. 

Claim 64 further limits claim 63 and recites that: "varying varies the number of buckets 
so that the monitoring device is no? vulnerable to DoS attacks against its own resources/' This 
feature is not described by Lyle. 

The examiner argues that: "As to claim 64, Lyle teaches the method of claim 63 wherein, 
varying vanes the number of buckets so that the monitoring device is not vulnerable to DoS 
attacks against its own resources (col 19, lines 37-45; the protocol disclosed by Lyle teaches a 
strong protection against denial of service attacks as well as other forms of attacks). 

At Col. 19, lines 37-45, Lyle discloses: "In addition to this strong protection against this 
denial of service attacks the communication protocol described above protects the tracking 
systems from other types of attacks by requiring that the would be attacker both know the 
corurmmicaiiori protocol and have the cryptographic hash function being used as part of the 
communication protocol in the tracking systems installed in the particular administrative 
domain." 

However, as described by Lyle, it is not the event scheme that protects the tracking 
system from attacks but instead, it is the: "In addition to this strong protection against this denial 
of service attacks tire communication protocol described above protects the tracking systems 
from other types of attacks by requiring that the would be attacker both know the communication 
protocol and have the cryptographic hash function being used as part of the communication 
protocol/' [Lyle. cot. 19. lines 38-45] 

Accordingly, since Lyle fails to describe all of the features of claim 64 arranged as in the 
claim, Lyle cannot anticipate claim 64. 
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C'lai m.s 6 5 and 72 

For the purposes of this appeal only claims 65 and 72 stand or fall together. €!a$ra 65 j}> 

Claim 65 further limits claim 63 and recites that varying the number of buckets includes 
omparing the number of buckets to a threshold number of buckets and determining whether thu 
■timber of buckets should be divided into more buckets or combined into fewer buckets based on 
omparing the number of buckets to the threshold and as the number of buckets changes, the 
uekefc have values derived from the buckets prior to the change. 

as tit c iaiiv: <»5, Lyt* teaches the method «!' claim i>3 wberehi varying 
numb?? af bucket.* coin prises: comparing Use number ot backets to a ttiresoah! 
ausssber of buckets, deteri-iining whether Use number of buckets shouhi be divided 
;$;;« mare Isuckets, tsr combttfed into Sewer buckets based oss comparing the ausahiM- 
;f? bisckwtsi to the thci-asoU; acid as the number af hBefcets change*, liis.- hackee iu;v 
values derived from Use buckets price to the change (col 7, lines 43 to cos S, ih-e .53; a 
jitaiistlcK database is ccttsnked inthidint; :s ihreshftkt imt-d upon incident rate So 
:Sei!.'j :!:int j« p«ri whether <):- titst Use eveiit data set slvuuid be f«)ni»i»i«! or split. 
Once a dt-eision is made, variants wftbin the ever.! data set essentia iiy remain Use 

Lyle does not describe that the number oi'buckets changes based on a comparison to a 
iresh-okl. The examiner argues that: (col 7, lines 43 to col 8, line 33; a statistics database is 
r^uhti meh;dn>g a iVeMidd bused upon ncsdent ate to determine in part whether or not the 

Lyle does not describe a threshold based on incident rate and does not determine whether 
vem data should he combined or split based on a threshold. Rather. Lyle describes: "t)ne of the 
jois used by analysis framework 308 in determining whether an event is associated with one or 
note other events is a statistics database 324. The statistics database 324 stares the average 
ne^L-ut rate of each sub-network within the network served by the tracking system and a lust- 
er variance of the average incident rate for ail networks with a» above-average incident rate, 
he baseline wc'cer.t urn- and the variance are used for all networks with an average or below- 
rage meidon* iatt." 



Lyle describes thai: "The analysis framework 308 also connects to a policy database 326. 
The policy database 326 is used to store information concerning how certain types of events and 
incidents -should be processed by the. analysis framework, including the responsive action, if any. 
to be taken by the analysis framework. For example, for a particular type of attack or suspected 
attack the policy database 326" may indicate thai the attack is to be logged but otherwise 
ignored." [Lyle, col. 8, lines 15-22] 

Therefore according to Lyle, the incidence rate is used to process events. Lyle does not 
specr.Iculh dcconhe f hat she mcHlenci ■ itc corresponds to a thr^noU rt-mlvi <«t Nu 1 ^ \s m 
cum .- , but j^hor correspond:: to ii i. mic at >vhk h incidents o<\ ur c ' u-.-t ,< k or aih-'W.woik. 
Therefore, Lyle does not describe determining whether the number of buckets should be divided 
into more buckets or combined into fewer buckets based on comparin g the number of buckets to 
the thresh! i Id. Lyle also docs not describe that as the number ofhuckcts changes, the buckets 
have values derived from the buckets prior to the change. 

Cl aims 67 and 74 

For the purposes of this appeal only, claims 67 and 74 stand or foil together. Claim 67 is 
representative of this group of claims. 

Claim 67 further limits claim 63 where comparing statistic values includes accumulating 
statistic values . . . and comparing the values . . . to thresholds that depend on the number of 
buckets. Lyle fails to suggest this feature, In Lyle the number of events is not based 
accumulating statistic values front the packets or comparing the values -accumulated in the 

! i f s U ! ^ t i 1 ' „ < " t 

capturing packet content as well as data related .to packets. Thereafter, the data -requiring further 
analysis and/or evaluation is discerned and stored and placed into a queue for farther scrutiny by 
the tracking system}." lads to address the claimed limitation. 
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3. Claims 1-21, 50-62. 69, and 76-77 arc 
paicjuahle over Lyie in view of Hsu at al. 

Clai ms I and 7 

For thf- purposes of this appeal only, claims 1 and 7 stand or full together. Claim I is 

»c*voc Uattve of thLs group of claims. 

Claim 1 calls a .machine implemented method of monitoring traffic flow .... Claim 1 
ix <iu. t > the features of producing statistics corresponding to a parameter of traffic How to trace 
lie source of an attack, . . . mapping the traffic flow into a plurality of buckets by applying a hash 

; iPe «o j 'l(h) M to the parameter of the traffic .flow io output an integer corresponding to one of 
' >■ >jc\ois. aci- umi;iaii.i!g statistics from the packets; and comparing the number of buckets to a 

threshold . The claim also includes determining whether the number of buckets should be 

divided into more buckets or combined into fewer buckets based on comparing the number of 

buckets to the threshold. 

statistics corresponding to a parameter of traffic flow to trace the source of an attack (Fig 9 S 908- 
310; col 2, lines. 45-50; col 7, lines 3-12; snififers are used in .analyzing and evaluating traffic 
flows to scrutinize suspicious activity in an attempt to ascertain the source of an attack) ... * 

For the reasons discussed above this feature is not taught by Lyie and Hsu does not cure 
the deficiencies in Lyie. Moreover. Lyie does not specifically suggest producing statistics 
corresponding to a parameter aftraiiie flow to trace the source of an attack, . . . Accordingly to 
Lyie: 

rise iiiit'SVr mojhfie asay ;»Uo search for other iijformaiioii, clues, <»• sigmmire.i 
previously associated with attacks oh the network befog prafer.teci or other 
aettvork*. J-or exampic, the snifter motfufe may identify ail messages seat irom t»ac 
ot a Ust «f sa-spkiou;; .source addresses, or mma?t;» attentpiiag w access s Css£>:> 
systeni HUiia the »ei't»«rk or sub-network associated v,\th the tnsekitss, sysivtss *-ia 
service known {« be vuliie.-aide. >«ch as teinei, or messages containing string 
prtsetst in messages, assaeiaietf wish prfor attacks. 



This?, Lyie discloses that the snifter looks for strings of data present in packets or 
messages, and doss not specifically suggest producing statistics corresponding 10 a parameter of 

traffic flow, Lyie further discusses that: 

hi y:je tBitJodjaieni: statistica! Snfm-ttiatioii frojii the statistic jj;is«b«sc usai 
in livU-.! isisi.:<; tf the rate certain types of messages, as described above- <.>*e.mSs 3 
Bonsjiii Si-vei. in usie tsSiinuiiment, the norma? Scvd or rate of certain types t-f 
message Is pr*grams»«} into Use sniffer module as part of the conftgaratiof! process 

ihe snifter saodate identifies as suspicious any series of data packets that cm-ett 
tiis rate «siaS)iisae.d at Use time of eoafigu ration 

Lyie describes the statistical information, as normal level or rate of certain types of 
messages. Thus, Lyie in .no sense suggests much less describes producing statistics 
corresponding to a parameter of traffic flow, since Lyie .merely examines patterns in the traffic 
flow not statistics on traffic flow. 

Moreover, Lyie does not suggest mapping the traffic flow into a plurality of buckets. The 
examiner contends thai: "Mapping the traffic flow into a plurality of buckets { col 7. lines 43-67; 
event data, winch is defined as suspicious data is placed in a queue as a set corresponding to a 
single incident)." Event data however is neither mapped into buckets nor does die event data 
correspond to the traffic flow. 

Lyie does not suggest: "Accumulating statistics from the packets and comparing the 
number of buckets to a threshold" whether at col 1, lines 32-42 and col 8, lines 0-14; or 
elsewhere. The examiner argues that: "many thresholds, such as incident rate, precontlgnred 
criteria, tinisstaurps, etc, are considered in determining the significance or importance of a 
possible attack." Whether that contention is correct or not, the contention does not address the 
claimed features namely accumulating statistics from the packets and comparing the number of 
buckets. 

As far the feature of: "determining whether the number of buckets should be divided into 
>>( ^Jsc f .> v. i,Mi < 5^ . o^.b Msec <>i ,0'rpas \ in > ,s ^ I cc o I* 
threshold. " the examiner relies on col ?, line 43 to col 8, line 5; col 13, lines 42-50: and argues 
that: "once an event sa sot of data corresponding to an attack) is placed in the queue, other c\eni 
data is grouped or combined with existing event data to associate related, events into a single 
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Incident object. Also, cvenrs that do not bear similarities on their lace may also be combined or 
aggregated based upon event rate in a given network or sub-network. Thus varying the amount of 
event data sets destined for the analysis framework module)/ 1 

The examiner's characteriza ti on does not address the .feature of the claim, namely that the 
number of backets are divided into more buckets or combined into fewer buckets based on 
omparoig the number of buckets to the threshold. While indeed Lyle discloses a so-called 
\ k <. /em object, tbat single incident object associates other event objects. Lyle does not 
lesenbe or suggest that the number of objects are divided into more- objects or combined into 
^ * "> >jects. Rather, Lyie clearly discloses that the event objects are maintained in the log 
J-ul a e. Thus, the single event object does not combine the objects but rather simply associates 
ie obieets for later analysis or retrieval 

Claim 1 also requires that the buckets arc divided, or combined base on a comparison to 
f* 1 e hold Lyle does not suggest that the Single incident object is formed based on 
s ) ng the number of buckets to a threshold such us the incidence rate. 

The examiner acknowledges that "Lyle does not explicitly indicate die use ova hash, 
s i M-n to output an integer corresponding to one of the buckets, '\ and thus relies on Hsu to 

1 using a hash to output an integer corresponding to the location of a location of a unique 
bucket identifier (see rig 8, col 4. hues 26-3S; col 5, lines 18-23}." 

it would have befcn obvfotb to one with ordinary skill t» the art at Use that- iht 
im-emion ivas. fnaise to comhittcthe tiiscUisnre of Lyse with the-. Slashing tccs^ siUjs.u.-s. m 
Hsu tf> «s»ke she system more efficient, U&ing Uk hashing $« antqae, « iiki) utilit*. 
atidrtaMis, vvi-i ofitpu! tiu: unique backet identifier quickly. Because Lyie ais<! asvs 
addresses t<> relate evens sfata to aggregate iiverds ir;i<! ;i si'sgie incitiest: ftssjeoi. ih<: 
ii.se ;vf Hms's hashing tedsaique sv«wid work seatniessiy. 

Applicant disagrees, Hsu describes that: 

destination uddms. s*>-k i< then obtained 204 Iron- the captured data {jacket U!<>. 
Byte xwe iBt'ormatton of the captured data packet 100 is also preferably obtained 
Ziid. This. iniort-iatiOii is jitus nseri io ctiiiie or update 208 records stored in (lie 
•Bcnwry oi a eoavexdiiiiial etiisiputer used to track tiie a snow lit ami ii/.v of data 
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■a JaM SiMSSli ti-^i.iHu> l-ows-us tvn> -swics «• the t AN. 



! it. ? «imh.i m i-\«B{iian fir\t t.a>;,. wr f itts ecmwnu mSor 
»(»jf Use a:Jxo»!H ,!!ui si/v oS o<ita trending saio ;sa-S i-tti os ^ \pccii>i- twai- «fs :i 
I -VN. Sp« i :fk\iifv, tadi ?w WO iram tin- tahk fs. nuse^d l» a ikx!? aJarc,- uml 
tsrassuns the toaiowhi" ititorroatiou: 

1 a o.ea;^ -k<.ae>u :e a sab.e -tored :u mei::orx and a-' sud. :es.u;nvv the <a>e v -{ a 
ltehn,<?ue to -i;-5:nhuw - stne.>. e l< a hesl. mtKHon. ( >k- or. ibc >*;Lu bane ! t * ci-uv^a an 
mvweniem u v xxhiolt the iswck'U oh} ecus ait' sioted \r. avl-itabr.se thus apparent h i)CHi c - :se sucb 
.rxJ for a J'-^rDiihv • e;ra h xvoo'.d not he su^-.-^s.j i uxkiv ! * *e :e ^'i.-ei u*. a,ievs^ 
oHK emr^, soux § ch's a Jaiab.^e Indeed Hs'i <.kvs -;ot t b-s nhe " : v.pnipe th„ lu-tVie 
How uno a p]n:.d:iyur bicker p\ aprlva^ a h;Ht funei <m 'M?h - ' :o kt. pa'.aiu\e* i*'\lu> tv.l!!< 
;K>xe to ompui an tetyr t orrosptct-bng i<» out- <u the bucbais." in are, e\ e:» 

iisd-.Xvi. me j\as::suu does k\ o<;i ;/e that "I \k dot-. tu..eh the x-»e ,0 t\H thru a:s ;$: a 
ar;f :ue ^ .iy to < fro v. s ■:!> ..Oi-ninun^ae v ^i!' the „•*} su-:} >;vc a>\ \ 1 . S ue ^ i ; ^ - >. " \ U >\\ eves 

i ■> it- \\ui: Ksu to trap tlv nat'tic i1o>x mfx a ofiuai'tx ot'bu.ket . whieb ru'sl^r ' x te no~ • 
,shi<\\ by ippisrag the bvs-i fuucij r\ to ihc peiximescr oi the riaiVu t\nx in •sisimt ,u: ir.e^e: 
eefrespeu>.!5^ to o 'fi - hr.eke^-, h,.-.ausj t[n>\. \seiud n^t l-ax e ..-.K ^'uai t J 1,-. ar^erj.at 
J-A-o^eu ar.O >a^i^s-eJ !•> I x]e. 

/\e..orJes;j.x sM:e ojJie.ips okdi sr die an weiUd noibe 5j,'tua!<„J • - cosebioe ! \.exv:f ! t 
J^a.;u! ibeeo ; no !La:>)n t \es: ;:~M^ t ^^te<I Jc m,oT !ea:.i al? of u l \Uures \rpl-eaiit - 
, Irants A-.eose nv:b. f!^, <iJJo u.» tjrtb.er leaching io eu;c tb. »lei:e >,t ,.te\ i ^ le a=:<' Lse^fo-. 

\ . hu m 2 

{ I. ii 2 'ir.ists eljKr. i ano \<x Lcs dua fbj biiCMJh are <:ti>reiV areas r\ x -er.i^i> L;,i<. 
deals v» a dala^ase .r.s j eoes noi apei if.ealb, diseu^s b:i-.kv.-ts ao 5tvra^<. ;.eeu^ m n;e;;u>!x 
't;!e -.x\ns n:«i\ ;\-mJo m juuuorx . te^p.-rauh tlfevme .\h\r\ Ju.> .o^l'J ett.> the JaUki^e 
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taught by Lyie, Msu, which does discuss memory, would not cure the deficiencies of Lyie,. since 
it would change the principal of operation of Lyie and is therefore not suggested. 

Claim 3 

Claim 3 further limits claim 1 by reciting that as the number of buckets changes, the 
buckets have values derived frura the buckets prior to She change. Chum t recites the feature of 
determining whether the number of buckets should be divided into more buckets or combined 
into fewer buckets based on comparing the number of buckets to the threshold. As discussed 
above, the combination of references do not suggest that the slumber of buckets changes based on 
a comparison to a threshold. 

Appellant discusses in the specification (page 14, line 21} that: 

"Ji.- ;r» -no i, ;k\\.a ^ vkes th<n u,v<l *.\ 3 v 
divides that bucket Bi into some otnci t ,v\ u V »•> t <n s 
B; } ~ B m . Each of the new .buckets Bn ~ B»m contains values 
appropriately derived from the original bucket B,. 

Appellant cont ends that Lyie does not teach that as the number of buckets changes, the 
oucseu have values derived from the buckets prior to change whether at col 7, In S^-o" 1 *>r 
vssewncre, since the single incident object does not combine events but merely associates e\ents, 
,u\1 thus the single incident object does not derived data from the events, but mereij has me data 
hmi ine events associated. 

Claim 4 

Appellant also describes (page 14, line 3 i } that; 

Also, the hash function is extended to map to N+.M-I 
x 1i--->N t-M-r values, rather than the original N values. 
(Appellant's specification page 14, line 31 to page 1 5„ line 2] 

The examiner contends that: "As to claim 4, Lyie and Hsu teach Uk method claim of 
chum 1 wherein the hash function adapts to map to the new number of bucket-;, as the new 
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:u. j;bci of i\:0x,;s cb t "it>o\ (c^i 4. bmrs Hn. backet hu j-Ij^c t iin. t j< o and -e\. bu> 

ci'.n.iuioil. t5 > sto oo.ios|-*-n«ln v idennfiei if, on tiu- • ilui h-ud. . pulL.-: > a i;ru«.iu 

dmtxtier .is created*. * 

V i <.-■. s.^se-1 abo*. • sK e--n on of] \ aiiU Foi! no; ^.;^s;eNV< . nt i;n;s t jo 
eoeee:U of ao .Ui.-i. ?HiCkcU .xA tb.it ;bo bjsb umcuoii . : Juptd 10 -pap ' ■ tbe u s\ -nnnbc: o- 1 
bsv : w!-\ uz tbe Siu-v :)i.2ii!vi <u bu 1:."^ >. lanac*. u. jo: .-ui^esied 

bru a: tne c t ; .-d p.i.->s<jgo teaehei operanoif oi"a t:-ble tbas eone.Tn.- r.>vmuuon pen.u?tn\>, 
io nafhc i,tx or oui v-i j node. Ib-wc* or. ifvn Joes not dis-.ios-.- a ree.-rd sou-tiKi <d *k<a 
na^aue. H.v. i.* Jt,\v-u! of dtp, st^LV-doa oi a iu^b fu-n tior. tbat adapts k< i tap to dttr ne*\ 
ui..nb<-r ofbuei.-i-,, tbe \ t-* :nneoer of bucket changes L>L- «nst. does no: >a^°' «* i 
b. .Uior* fhat .iskspts used -n cb .ages tbe nnntber of baekeu 

Clatm 3 

Hams 5 bi-ihu Yn.n >> dana ! b> e^nipann*: ibe value .^OunmbaVo n tv bu4 et to -i 
ih-t.^bol-! that depend-; o;> spe nurUv of Pueket-" 
I be e.-aaiaeef contends \:\A 

\\ '<> vi.m;i I <. ie ti^ohcs iht int'iti<>d >>f claim i. « hot e>« vnsp.is ms; M.:!istii 
uhso cosnj-n^ jtt!>«nsutuiB M>it!->{K > <i«afcs frow thi- p.u.ktf- aiiti ti-nijuf ism £!k> 
"--Hits aecamuSa'cd sts ^uiiveK 'o thic^iioKK tftas dqu-iui ->n the rntsnbo y 
!)i!Ckti\ u»J ^. ii'ivs j Zi> Ami 4*-*>i; wiittrs ;i! e tsiih/eJ in caj'tf-riH'; ct cofsus-i 

^■i fs.sh(,iti«« iiiwcsnKi .liRi Mosul \ iaetxf hi't> iS qwi>e i-a fun in j 
scf««BV bv tftc tracking ..wsteau 

\n^.dLiiU djN\»ioe^. \^ o.sei^.-oc: above L>le does not ^ac^eM tbe I'^wntc-^ si\ i 
f t a- dooi .*ae.^^j 'WMiipai it.i! die '-alwc jtimubded it; the bu.-ke! to dtre^aold Pa;a 
ov >u <'s on tin- -inrtl -e- of t tek^t^.'" ^ vL- ^-achot: to e\ cuts and to .iS^aaL c\ but •h -k- 
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C laim 6 

Claim 6 hinds the method of claim 1 by reciting that the parameter is the count of how 
many packets a data collector or gateway examines. Lyle whether at col. ?, lines 3-20 or col. ?, 
hnes 43-67 Fails to suggest this feature. Lyle examines packets for strings or patterns, it is not 
seen where Lyle maintains any counts. 

Claim 8 further limits claim 1 and requires that the hash function changes periodically in 
a randomly, secret manner so that packets are reassigned to different buckets. 

-U i« thum Lyk' feashes ihe me(h«d of claim ; >vherei» ihv hash fijnc5:<ti$ 
£:S;;iiii>£-s {«ji(,»ijcaHy i« a ramlomiy secret maimer :■»-:.» that packets, are realigned to 
tiiflercat buckets {Figs U A and B) 

Lyfe's discussion of the hash function and a random hash value pertain to the 
communication protocol, not to the features that the examiner relies on to suggest the features of 
claim 1 . So although Lyle does disclose a hash function and a random number to use as a seed, 
Lyle : does not disclose to apply that to reassignment of packets to different buckets in a 
randomly, secret manner. 

Claim 9, further limits claim L and requires that the variable number of buckets 
dynamically adjusts as the amount of traffic and number of flows monitored so that the 
monitoring device is not vulnerable to a denial of sen-ice attack against its own resources This 
feature is neither described nor suggest by Lyle whether at col. 19, lines 3? -45 or elsewhere. 
While, the conuntaucation s protocol disclosed by Lyle may be a strong protection against other 
forms of attack, Lyk does not disclose it as effective against denial of service attacks. 
Moreover, the communications protocol is not what the examiner uses in the rejection of claim 1 
and thus the communication protocol feature of Lyle has no relevance to claim 9, since it is not 
seen that the event objects which the examiner does rely on provide the function or the features 
of claim 9. 
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Claim 1.0 

> -5, \ o-mU i i, j r . <.UvfVMt.it H ^ u - 'iniv, ! > ^o 
( jvTiiilu'rt tko ivroct or souiccb oi diiuc], In breaking Jaw* hutTio into Usttaem b\ ! i.k,.v .v^i 
cv.ii.r: nog .^at.^.,<- - ^ec.sn.Jjiod <W a oar.imcici and a <j- -i ■ opoist sr.*; tk^koU :o e.i,:h haokct 

\-! Ht ol.iini SO, L t tt HTiJu'i tfse U mtiubct «} huike!- vftlt (t»ti> smsio 

0<c v>!(ivfo! w-itim ui ssU.tcL Ijj Sirt-.ikiii^ <im>n rraStic isife ttitfweiti {uttAc*.- 
i'\,it!!M:iiii; \ti»t*HCN attmmaateU tof a p:ir,itnt'ti:t' ,md com sp<;n(h;!2 «h»\wj»!i. -n 
ejtSi imri-ct t»fi S. hnc» M--*, tJu- t^esii along wlh trie- jjot-n .i^iym! io! Vt.a 
eu'U ss. :(sed sti (f diikisjp iht a!!,nl> ts,}ck t(f it* oi!i,in, {he is, tide!!! ohfwi =« »vh>ch 

tiU' ! W!Sf Was Ill!>i< ; i)ak'(! Vvli i:i l,!Ct itfl'Btth th<- vQUU'O <>: Silt .ittaci 1 

I \ V Ui.b u-u^gw-s io htak 'ujfiio down into diffl-re it buok^ kkiH.< . \ io iraok<s 
o^-out^ »uui ass<>> \uv ; ovont.s into incident obje< i kas no u\u kir^e 'Ju* s^geM cxajpi.nrig 
ot<H.ii:i.i ac^uuanatU lor parv.u> v: ami a .:u!Kancnd;ng tkivMioki m t\vh k- £ <±u K 
V;;t/ik.-s msuL'w nito\ 1> -wovcr, Hsvst. u.aoimig^s\ axanahL n.;n:-iO! o k >i.<eko"Mba'. 
- ,v io c.itVs ;<J-,:;r.jik-; iko -v-osw o- .->0i.)soe? v^aPaok h\ hvikJUg Oow r. 'u^kfio :i . diftuun 

Claim i I 

( Unn i ; funbei u tits iho .noliud ofckvin- i iVistornn; :kai the :kui'jc .s h>) u\>^d a f 
•.fnjl'.ip^ ■tveks or^i t !:nj':inT\ from d£pxtssic io nsdiMdi-ai i]o%\i> Hi;- it v ooniond^ 1 -at 
s }le:> Icack n-s .n >„o " ki.es 1 ft< oo', i.. ano f>3 "inJis jJu.tl cts, o^ omk \i ,:?cat.t){ -b -.-cK 
i io .i;sa!y/?c". a:vi -\;<lu;r..u at nuPioi>^ ;^ 'nits thtnnir orooos°Uif ofg;\ .-:! rj;o,\ N i itiou." 

:-.;-pond :-ioriS(fi t;aAh - x - r.iui'.ipk. ivwk- <if ^xcJa\^\ , k-.^s, ,u;^og,i!, v i^OisMj;. 
;k;v. ^ 1 ioA .X'opcP.jnT n- w-.t t> < ,ho c\ieni hut l\ .-nts a-i>! ikv.L-i: o n -<, ;-n o>» sov^ i,r. io 
ij^lupk- l.'U'k-: >.:oe i>Uvit\ , tkost io.it jjos Ml ylo do not cor;...rp .n<: K> ;ro'i,\ i ; ;h> -J^o uaJlc 
at multiple levels of granularity from aggregate to individual flows. 
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Claim. 1 2 

f 'kiim ' : iiijuci hums tb. nuikxt ol eLdm ) to whore t io iaei;u4 is ap^bed <^ 
r>. ■mfoi -us; of TOP p.nloi :vuk>5 jfd lepst^ot n<iffie The. .".\immer .'roues ><ui i v!c Vach,^ 

,;1 "(CO. " ,.kc ."i' 1 k' CO! ,s\ kPO UaiTk ftOH; UUUviOUS is pes 01 !,a^,i-'ks eJ.n; :.■ ; > p 

so-vo-^ -s est-d .ui-i mane ou^ vahte^ inelutK d s:i the fUiti^v;' daur-a ,ee ei-, iosedV' 
AppeLare vksa^ees \i in- ixmoi in L\ 1o s^neraih or ;n the , uU pa-- ^ < ooos I \ ie 
o^ek>5e 'jK<ip::.;r'ij'. oi' i CP mxke' nrxK ami n } pn-fsor tuifrie " ^>le T;op..:-> : - i \ e;Hs, .e d 
s^ek^es iaai; "v- >se;s s:tjom;<)U--n related Jo au actual -ei suspected .dtad: ts -cen'ed b\ ihe 
xiixloO' e>-u^e- ■*!>.." or dvLUJiv-u >\ c-iiuixr module 3vH. the iv!e\<a: s > v.^unAn>n pjovjded 

^je-.ei* hilu, i' r c o < nt niau, ere, ; <»<Meee\,- le-i-,-^ i ! o Ju'e 

- <to ' e\ v:ir" data, pUees t u a queue, and prm iuc? dak. •- ■ me arab ^aae-^o- t. 

iioduk- d^s ; 1 r pre, es„-n^ . one e* oir at a mv.c. at prede-e;;n,ned i u-.-p, j s ' ! ! -*-s, ; \ !e \i:VJ\-? 
i uresis ie p^c^s s«af>-t:e,i; iekbunaUvi! io dmem-itso -he ^outee of ar, aueck ;>)■ liu ,-ax esf-e 
tur>' f :eai ^-lo-matior oi'ehim !.?. hn; tatlkTonh morsHo.fs ce.Uifs w.ihh cm- expend v. ar .v. tuai 
>r suspected snack. 

QMmM 

Ckam i? rmthes limits die me Cod of claim 1 h> i ceding thai {be dux^Ldd is a fn^t 
vs s *J uMoee.-o* , i \ i i u iu iL ^\ - (l , ^ ! tv^! ''v s ,) 

e<.e:sd i uesho e ^ -.lues io wUern,!! i t) jt dn c\e;u i-' ofsiiprulcanee 

• sfJicr eonujjjMrie, , onip,vi.'^ ao^tii-jii .uU sian-U-e \aines iV-m ti>. i\.e!,ot,s \,- -„eo;V i sseoiiolo 
alu<.o $o -'eteni::u>- :: s «n e t e\en f ^ 'ff^nificiivee (uo( 7, lines ?>:~41 c-A eo: \ i:ne- o usauv 
htesisoios. Mi. :■ \x\den? nue euxs .mi-iaed enH-ri i. tiiuesuanp^ e*e .ko eon;ac ; c : ^J ^5; 
-,,o- iji-nsiiij : k- s;e; -(je.ei.o oi ■. uinee of -t posM^h atu.ek}; 

^ 5 i- N ' U>> \M I I k\lt .!| t 1 , J i f Oi i ' s k.< ^ i k s ! 

^ei;:,e.^ -he \\v<.\ uu^VoiA as ease^ed ab<ne {Io^cstj, claim ! " i ■■>.: \- :\.qieres i:ve ik<- 
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v ) i > i OS + " ^ > s„ > a A [ \ ||) I 1 , J} t * v »/ 1 <. f J t U vO 

0 d 1 t >. t ik << j t. UJ* X M lkL i. j U.v i iO "* > 1 v s > v. 

1 1 i- h v \v > j (.v.ii.i.1 ''I 1 M i PiXI I>1 O , Us * i 'io! ! ! L .v 

< >v v k< « v ' * I i. *i at 'wk'* o^t i ^Ov ^ < 1 ^ v V 

1 i< v. i'^v 'm t <i iiu , nvf }o->k t . i i v j < 

* >- - v - v e*«. < ft' i te. U -Kuu'^ la k ,h s vt itv 
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Accordingly one of ordinary skill in the ait would not be motivated to combine Lyfe with 
1 hn Accordingly, Hsu adds no further Teachings to cure the deficiencies in Lyfe and therefore 

trie combination fails to suggest claim 14. 

Paints 13 and 50 

.For the purposes of this appeal only, claims 15 and 50 stand or fall together* Claim 15 is 
representative of this group of claims. 

Claim i 5 requires that based on the second threshold, the buckets are divided into more 
buckets or combined info fewer buckets. Lyie fails io disclose the claimed second threshold to 
divide or combine buckets. 

Claim s 16 a nd 51 

For the purposes of this appeal only, claims ! 6 and 51 stand or fell together. Claim 16 is 
representative of this group of claims, 

Ckim 16 further limits claim 14 and recn.es instructions to divide the bucket mio a 
different number of new buckets containing values derived from the original bucket. Lyls does 
..o; icach to divide buckets and because Lyie merely associates related events, would not 
inhcKMly suggest dividing a bucket into a different number and derive values from the original 
bucket. 

Claim s 1 7 a nd 52 

For the purposes of this appeal only, claims 17 and 52 stand or fall together. Claim 17 is 
^preventative of this group of claims. 

Claim 17 further limits claim 14 to require the hash function adapt to map to the new 
\sn >ci of buckets as the new number of buckets changes. Lyie does nut teach, the use of a hash 
I - s ^t oi r i > >nk< j >( ^ i u ^ m K' k \iin i < 1 i > , is , , u v s 

xeaiure at (col. 9, lines 3-45). 

Neither Hsu nor Lyleat the cited passages teach or have any suggestion of a hash 
' * )r that adapts to map io the new number of buckets, as the new number of buckets 
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pnrr^seo of tins appear <r\\y clanua ?J> and 55 ehnwi o- sad vgvibu ; " a*'U 2r is 
fop:-.'ivmjtj\t --v. ie- % ijionp of ckus us 

Chuw 55 nmhc hauls ela m 21 it. a kHt function thai eaan^. ^ p-_';iodic<i Is n. a 
r.-ncomiv seel ;s acnes .-.o tha; packet; arc ieassigm-el U> e-ufere-r hnekct ^ ' \ .e, ^- .sdumkd by 
;Jv cx.mif.KT. kuh- io i w clauued h isb fmctioj- V-rku L>k n*-, I * .*td-: \ .r^ .i.tv 

hoc ioi ,i jot 'sas: uii'<.'{:.»ji ll>: nupu v^, since L\ k- u vreh ih\'-- ne •■a 0 *; an;, uor a^ nart t>- 
lie foi;imi»:.caT:or p-.Mo^. a ac;e ^ I bu use - tlx bask »-.. en<nth<ae ensne^ s - } d h.c. em d.-e.< 
not singes* a: \ need foi sjcje<-\ ,n bo\\ dam records an: dssnsb :icd is- ! iv \.\hh. appaienih <vmvc, 
: : oa eodects fh^ frt.-r do* ces on the netwo-.k apparently as par. vf a u>e L<\ whue. "... 
rv r.cbu>-.k c .\ lv analyzed and p x^bh sedas^mxl So: mmro\oe. trat^rr i;.-io u f c am pacs^is 
across the network 

I in the bucket to a 
>.r analogous reasons 

Claim 5b lunher limits claim 21 reciting that the variable number of buckets dynamically 
admats 'be amount of t-atfae and unmbes of ilo\\s monnered that tae oaia c<>hec<vr is not 

t 1 <- "n i . k ii ' s <■ t. Uk t ilHiuWl' V s \1 U i.| s 

iTvXl.<«jisn: :o pivice" die tracking system from a denial of service attack against itt? own 
resources.. V amble number of buckets dynamically prevents such an exploit. 

Claim j9 

Claim 59 further iimiis claim 21 to a data collector that uses the variable number of 
buckets to efficiently identify the source or sources of an attack, by breaking down traffic into 
different buckets and examining statistics accumulated for a parameter and a corresponding 
threshold in each bucket. Lyle does not suggest this feature. Lyle use* ev em.-* . ml "Mjs.sa^e.-s 



C .<nm e- u c.bcr \n..ls cknn 21 V comparing the \.duc atvenuieie. 
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Conclusion 

Appell^ju sooty; ds, Uwicibie. ih a Claims ; oO and 52 an. Alow abio ^\ me em-d art. 
I huvfoi\. tlu i>;:i)^ne: .* u»d In reject ins Appclhmi's chums, yui shu-mi j N c r-.-xeruh 
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Appendix of Claims 

' A :Ti<iCk.i[..' raipieajuited iaoih<\; of moauoiuii: baf r io Hov^ -n . oio.i^ v.ny. u-vice 
-sod to !v\.'^ o ih'i^o-x iranlc p.id.et?. comprise.- 

oroJu.: \p, Mjhst;^s ■.onvs!io;vf ; :K' lo o pauandoi ofu^'fic u 5.-. Uv ^ . ol ai, 

md., whh pzouucmi: :'fir:!k->' e^mpnsmij 

napmpg !<;<. ironic flov> uno . plmabt} ofluickas b> apHxiPo J ra<4 tcneuon 1 ' lo 
c pa?ank-ic; of ;ne aa:;">- .low u> oiJtps.iL an integer cof!osi.v5tjitfu ! o o:=i. s boA-.tU^ 

co iipan^- t-K* .\anbor o< bwkcio 10 a tiisvokolti; as-a 

di-itTRs-si'vo. v^heiU; Ike camber of huoket;; sluuK 1 bo an ul, o ;nkj rt- -re bucket >»- 
•aibmed mo \*v>oi bu u \ois ba^ea on oompanEH* tho uuoabm ol ^ .a.as 10 J L- .b-^hoia 

- iK 1 io:h--o of c.j: n 1 who en: the buckets ..ire 3: 'Mi'l' aitj.:s a 1 <■ is.u:X>r\ -race 



od 1 1 at l 1. n , In [ j 0. 



o* a ? I Hh v uj bt h. d uiv ,0 1 



( k , < U af n ui t op pa u A - 
uv io n w u 10 b ,J v t<> 05 1 > 



1. 



o + j ! H'-sost 1 !,, Le \ >< oJo juj > < 1 <i 1> tht\< r 



> \ k n t o in v o v n n !iu\r rD 1 I u _ ^ ' v. w 
<\ -\ valeo TK- ;vu,oc or v.ii'cos of.^itacL by bt caking Ju\%n UaiYic aitTuvm bj , k 
ov.iunniji^ .>i;U.<::o ucc :;r..;k lod Vr ;\ oanrmao! ond u. c-.-irc^po;:<. : u>j Uirc-ivld ■ o ~ s) i 

> ' o . 1 <. i>, , . ^ I - i ion I o u\ui> h'i i to o ' at t !' f< ^ 



hi h v va o v 



* ^ i H v i v > h ) viu <.m< k_Ox us utvi v < bic for -nonitonnff 
i t u k » t > i * mi \ _o ■> > ! i < t I s o < > i i <. ts-puter to: 
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jjj.n u-.iif. i't^.x tj"t s t a pLsahh <>} buckets h\ appKsu^ a f Vf :mi "Hro" U> a 
p-raoine;-. 1 : of lirj ;i<i^c fiov. to -Miipus an tnu^er con* ;?por.e. tn$; to >>ic oi ; 10 k ekeLv 
aecuu'idau. stah^xs the packets, .aid 

vO»h\s;c i v aecuumiaiLi! -tan^-c valises fu>iv \\:<~ bucket to fi.ii.l^.-.v v. cs) ok : 
eorfespondnji the run 1 ! e>- ni ba.-leti to detutimne th -a ;et event is oi ssLU^cat.-c; aud 
i-!-tL<i the saauba i >u butUts «^ the mnobe; o btjcket^ Lprre^ehes . ^ ao \i :hv dv> 

! >. 1 .a. CMtiVfu ,t pjoeraal puxhia of churn : i *\ 1 d or 'L *.v-mv 

i i^ahoM the bucket jiv d \uko -t;to n v\\ hackus oj > oinbuioo :mo l\ ^hu>. 



s aomoriw mstmettors ir 

do ide 1 sv bucket a:a> a ca^ice; nuanhe* ofoe^ 
iginal bucket 



\" * he computer pjoetani p-tnluci .»f chum l~ ^ buetn the ! an-:;-e^ ad^pt- 
ot. tp to the new nvukr .M'hLi^.-.ts a.-. ih<. utw number o: buckets ^.harL'es 

• ^ The eomni.Xi rao^atn nr. i.ket oi clam 14 v,he'< >a ?L> pa; a;xt.a ^ :U oou 
man\ p.irL-is .Ja~ .e^lLvto: os y<i\c\\ -iy <.\an:ai.^ 

1° Flit e>nnp»k^ program product of ekiuv U tthcicu the belief* in storage . 

20. The computer program product of claim 1 4 wherein, the hash function chang 
periodically ia a randomly secret manner so that packets are reassigned to different buckets 
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2 1 \ iLaa eolkcior to (.olket statistical vt\ ~>xuneu a? out iietvu>rk ilows eompm\<? 
a .emptier seaeia^k. sueJnsni. 

a t ompi.u:i>> .iev.ee ih;^. executes ; oumpulct piogrnns product fh>-' v or s he eoruputu 
adame uv\tidni eomp-isi^g Ij^nik u^k m anise the computing Je\ ice k- 

map u^fne :lo?, ip:-i a pha.;jt\ <>; bud els b\ app!>ui£:< ha^h hiae'aou "f{hV to hi-> 
-tuieici of dr. is an Iv. u> output an listener cor^porJuv h< one o; the'-^Uts. 
a^euMiiSiSte ^atisur: iK>in Hi-j p^eti. .md 

xn pare Uic accumulated ^atist^ values from the bucket 5 ? so eunftguree tlnv^hoki 
nx o pe.iiJtag to tin uiut.Iv! hackeute uUerfuiuc thai an exeia ts of si^nUcr.^e .ux! 

ae.jt-v iht r..:T v he! of ^vKVtti as }Lt. number of bucket c app:^;Kh-„.- a -..\ a\\A dxub^I.L 

OS< L-iis r > ,u - eaueeLd, 

~'U ri:v. cata .oiV. u\ <>> eb ir. „\ wk. v lvm.,.! e - 1 1 ^ . b t j 
d-XKu-O a;io p...- re euckek-. e-i continued f Po tene as 

a". : he J.uii <^;Ueek>: as < iano 2\ \Mie.ur < t v - n i to a * ^ n \< >e 
trucuons to 

<lhub f>. b.ieket nro ^ Oiffejeu' namrei ot ne\U t,k.'- onuvir * H de o c 1 <i , 
; original bucket 

-U i *.» - Oi J - ! "wie eVhe 1 v i a ! pu s > •(> < \ a/ 
^ iv v >j^vos jmk r\ trV of b vkft^eh 

^ .he a.*t: collector . U <n-} 2l vxh.rcp, the .\uan.< M ^ .he eo.n t .« 1 ov. i ay 
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v a to ,.clo' w« n 11 ^ >k,K m me b 1 \<i- u. ^ erase area.s h; ihe 

< < V ho UV .v." SCO 

ii i t ta o'uiOi i i J ir„' \ LkmIcIw t< eno* changes periodically in a 
;N < ' ~ ! b pi iK>i ~ 5<^v ^ UPv'J to u .1 <Lts. 



cor ,h v > o 



^ «. Ov««t vol cc o\h nhovn >^ u„.n o, - aociu tor otic j?ueke- 

approaches a threshold, the monitoring device raises an alarm. 

58. The data collector of claim 21 wherein the variable number of buckets 
dynamically adjusts the. amount of traffic and number of flows monitored, so thai the data 
collector is not vulnerable to a denial of service attack against its own resources. 

59. The data collector of claim 2 1 wherein the variable number of buckets efficiently 
identifies the source or sources of attack by breaking down traffic into different buckets and 
j\aiusu;i;:.- staiscoc- eun. ..^J Uv . parameter and a corrcsp-. uo-Sig ibe-h.'.f ei oao:i bu<.I:a 

60. The data collector of c ! aim 21 wherein the traffic is monitored at .multiple levels 
o is iu . .S ",.o ^ ueou ;Ln« 

61. The data collector of claim 21 wherein me traffic is applied to .monitoring of TCP 
packet ratios and repressor traffic. 
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"IT 1 1 K J , j< OH S >l\ >. buckv* 

< - < 0 <.,vw Ov Oldni? Us i' ^ t < 1 •> k> > i v v ! 1 K • * 

iv.tl „<>"" > t' , u * , o v s >h l i _ n and 



s " O M <1 s Vl i < to ) >S Had > lit } In >H OCIn. 

«*' ' '5 iJOv > k,\U' iO - ht- t . , < ^fs.N 

\ >. U H H; ) „ v.' J. U t, iU 0 hi « k«' - h i J 1 kVi )tO i iXiOkOSo 

' 11 ! i ^ ' rUvkOv * A'K^i pv> t H! v+ heitSt:, s o *. v. n i m < n ,^.v--'<\ <md <to 
tkr number of buckets changes, the buckets have values derived from the buckets prior \> the 



k - . totr HJv. suvvot^ o second threshold values to 
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!vA 1 o iJ 11 „ OkKj <i 
ju J ' 'iH i h ,dvf to 



> « i o ' i in ' v.^i \ i <h>v ■> " \ u K i} ^ dynamically 
i ( < M an •> (i <•)■< ro* to Oi m. f ! ring device ia nos 

U ti tl A is is ,w 

<• i v t! t of v \ o" < »\ <. t ire b «ckc »v i«» ... . s a memory space 
ot i u i^v^ h irp i >k i Jon n o o>U i u u h ulo <» < 

1 Jt H t >> v'l if t ptl W o ti i t v W > Uhll 1 

corresponding to one of the buckets. 

70. A computer program product residing on a computer readable medium for 
monitoring traffic flow in a monitor device disposed to receive network packets, the computer 
program product comprises Instructions for causing the device to: 

produce statistics corresponding. -to a parameter of the traffic So w to trace a source of an 
attack, with producing further comprising: 

map the traffic flow into a plurality of buckets; 

vary the number of buckets according to the amount of traffic and number of flows to 
ve^J^s,; ^ . )( V'\ < >o . ._i\^tj.k.-^ jhj 

analyze statistics accumulated for a parameter and a corresponding threshold in the 
bucket to identify a source of the attack. 

? 1 . The computer program product of claim 70 wherein instructions to vary, vary the 
number of buckets so that the monitoring device is not vulnerable to DoS attacks against its own 
•resources. 
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vvom.it* eio- ^ n \ out < ifvl.mr' v^!t{ j 'Mm ^ \ < 

composes instructions -o: 

<> iUK ' i ) \<0l Vu* J h viiHLUV \vkvH 

s v v w<>> >i\i rt <h v o b <Uh M K 1 J ^vv i Mo * v v 
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• ti 5 i \f( \.o\.e es ^ >, as lt L\ l s Ju^ vOf," l lor \^ i v v. ^ ,0* s< f o 

change. 

fhe --o:np; ; -c- piultuk product oi drain 7n ftmlur omprising instructions to: 

"jj ^ . . o v<\ . 3 . ,s-j. * , o> ! o:r «bo I.. Is i„e \\ « - ...\>> \ " „ jcs ,o 

7 4, The comnuic program puxiuci of claim 70 wherem instructions to compare 
statistic compass instrucikvis 10: 

compare thexakos uucumuUacvl in the bucttels to tVestokk th-tt depend on the number 

of buckets. 

N > f ~ v t u k pvdu. >i c«n» i ~'> V 4 . • 1\ ^ lv r < > 

! ^ s < k v 1 v »J ' l.f MllClfv, 5 o L < ^ N v t j 0 j <■ 

" " ' 5 J'vvv* 1 * k!U >M k'lidlol s.hO' lolt s W CSvL< 

> I Cav-.vut u r» f o p<t Ouvii s * 
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